|
Packit Service |
4684c1 |
/*
|
|
Packit Service |
4684c1 |
* Copyright (C) 2000-2013 Free Software Foundation, Inc.
|
|
Packit Service |
4684c1 |
* Copyright (C) 2013 Nikos Mavrogiannopoulos
|
|
Packit Service |
4684c1 |
* Copyright (C) 2017-2018 Red Hat, Inc.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* Author: Nikos Mavrogiannopoulos
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This file is part of GnuTLS.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* The GnuTLS is free software; you can redistribute it and/or
|
|
Packit Service |
4684c1 |
* modify it under the terms of the GNU Lesser General Public License
|
|
Packit Service |
4684c1 |
* as published by the Free Software Foundation; either version 2.1 of
|
|
Packit Service |
4684c1 |
* the License, or (at your option) any later version.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* This library is distributed in the hope that it will be useful, but
|
|
Packit Service |
4684c1 |
* WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
Packit Service |
4684c1 |
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
Packit Service |
4684c1 |
* Lesser General Public License for more details.
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
* You should have received a copy of the GNU Lesser General Public License
|
|
Packit Service |
4684c1 |
* along with this program. If not, see <https://www.gnu.org/licenses/>
|
|
Packit Service |
4684c1 |
*
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
#include "gnutls_int.h"
|
|
Packit Service |
4684c1 |
#include "cipher.h"
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
static void dummy_wait(record_parameters_st *params,
|
|
Packit Service |
4684c1 |
const uint8_t *data, size_t data_size,
|
|
Packit Service |
4684c1 |
unsigned int mac_data, unsigned int max_mac_data)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
/* this hack is only needed on CBC ciphers when Encrypt-then-MAC mode
|
|
Packit Service |
4684c1 |
* is not supported by the peer. */
|
|
Packit Service |
4684c1 |
unsigned v;
|
|
Packit Service |
4684c1 |
unsigned int tag_size =
|
|
Packit Service |
4684c1 |
_gnutls_auth_cipher_tag_len(¶ms->read.ctx.tls12);
|
|
Packit Service |
4684c1 |
unsigned hash_block = _gnutls_mac_block_size(params->mac);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* force additional hash compression function evaluations to prevent timing
|
|
Packit Service |
4684c1 |
* attacks that distinguish between wrong-mac + correct pad, from wrong-mac + incorrect pad.
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (params->mac && params->mac->id == GNUTLS_MAC_SHA384)
|
|
Packit Service |
4684c1 |
/* v = 1 for the hash function padding + 16 for message length */
|
|
Packit Service |
4684c1 |
v = 17;
|
|
Packit Service |
4684c1 |
else /* v = 1 for the hash function padding + 8 for message length */
|
|
Packit Service |
4684c1 |
v = 9;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (hash_block > 0) {
|
|
Packit Service |
4684c1 |
int max_blocks = (max_mac_data+v+hash_block-1)/hash_block;
|
|
Packit Service |
4684c1 |
int hashed_blocks = (mac_data+v+hash_block-1)/hash_block;
|
|
Packit Service |
4684c1 |
unsigned to_hash;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
max_blocks -= hashed_blocks;
|
|
Packit Service |
4684c1 |
if (max_blocks < 1)
|
|
Packit Service |
4684c1 |
return;
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
to_hash = max_blocks * hash_block;
|
|
Packit Service |
4684c1 |
if ((unsigned)to_hash+1+tag_size < data_size) {
|
|
Packit Service |
4684c1 |
_gnutls_auth_cipher_add_auth
|
|
Packit Service |
4684c1 |
(¶ms->read.ctx.tls12,
|
|
Packit Service |
4684c1 |
data+data_size-tag_size-to_hash-1,
|
|
Packit Service |
4684c1 |
to_hash);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* Verifies the CBC HMAC. That's a special case as it tries to avoid
|
|
Packit Service |
4684c1 |
* any leaks which could make CBC ciphersuites without EtM usable as an
|
|
Packit Service |
4684c1 |
* oracle to attacks.
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
int cbc_mac_verify(gnutls_session_t session, record_parameters_st *params,
|
|
Packit Service |
4684c1 |
uint8_t preamble[MAX_PREAMBLE_SIZE],
|
|
Packit Service |
4684c1 |
content_type_t type,
|
|
Packit Service |
4684c1 |
uint64_t sequence,
|
|
Packit Service |
4684c1 |
const uint8_t *data, size_t data_size,
|
|
Packit Service |
4684c1 |
size_t tag_size)
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
int ret;
|
|
Packit Service |
4684c1 |
const version_entry_st *ver = get_version(session);
|
|
Packit Service |
4684c1 |
unsigned int tmp_pad_failed = 0;
|
|
Packit Service |
4684c1 |
unsigned int pad_failed = 0;
|
|
Packit Service |
4684c1 |
unsigned int pad, i, length;
|
|
Packit Service |
4684c1 |
const uint8_t *tag_ptr = NULL;
|
|
Packit Service |
4684c1 |
unsigned preamble_size;
|
|
Packit Service |
4684c1 |
uint8_t tag[MAX_HASH_SIZE];
|
|
Packit Service |
4684c1 |
#ifdef ENABLE_SSL3
|
|
Packit Service |
4684c1 |
unsigned blocksize = _gnutls_cipher_get_block_size(params->cipher);
|
|
Packit Service |
4684c1 |
#endif
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
pad = data[data_size - 1]; /* pad */
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* Check the padding bytes (TLS 1.x).
|
|
Packit Service |
4684c1 |
* Note that we access all 256 bytes of ciphertext for padding check
|
|
Packit Service |
4684c1 |
* because there is a timing channel in that memory access (in certain CPUs).
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
#ifdef ENABLE_SSL3
|
|
Packit Service |
4684c1 |
if (ver->id == GNUTLS_SSL3) {
|
|
Packit Service |
4684c1 |
if (pad >= blocksize)
|
|
Packit Service |
4684c1 |
pad_failed = 1;
|
|
Packit Service |
4684c1 |
} else
|
|
Packit Service |
4684c1 |
#endif
|
|
Packit Service |
4684c1 |
{
|
|
Packit Service |
4684c1 |
for (i = 2; i <= MIN(256, data_size); i++) {
|
|
Packit Service |
4684c1 |
tmp_pad_failed |=
|
|
Packit Service |
4684c1 |
(data[data_size - i] != pad);
|
|
Packit Service |
4684c1 |
pad_failed |=
|
|
Packit Service |
4684c1 |
((i <= (1 + pad)) & (tmp_pad_failed));
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (unlikely
|
|
Packit Service |
4684c1 |
(pad_failed != 0
|
|
Packit Service |
4684c1 |
|| (1 + pad > ((int) data_size - tag_size)))) {
|
|
Packit Service |
4684c1 |
/* We do not fail here. We check below for the
|
|
Packit Service |
4684c1 |
* the pad_failed. If zero means success.
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
pad_failed = 1;
|
|
Packit Service |
4684c1 |
pad = 0;
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
length = data_size - tag_size - pad - 1;
|
|
Packit Service |
4684c1 |
tag_ptr = &data[length];
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
/* Pass the type, version, length and plain through
|
|
Packit Service |
4684c1 |
* MAC.
|
|
Packit Service |
4684c1 |
*/
|
|
Packit Service |
4684c1 |
preamble_size =
|
|
Packit Service |
4684c1 |
_gnutls_make_preamble(sequence, type,
|
|
Packit Service |
4684c1 |
length, ver, preamble);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret =
|
|
Packit Service |
4684c1 |
_gnutls_auth_cipher_add_auth(¶ms->read.
|
|
Packit Service |
4684c1 |
ctx.tls12, preamble,
|
|
Packit Service |
4684c1 |
preamble_size);
|
|
Packit Service |
4684c1 |
if (unlikely(ret < 0))
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(ret);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret =
|
|
Packit Service |
4684c1 |
_gnutls_auth_cipher_add_auth(¶ms->read.
|
|
Packit Service |
4684c1 |
ctx.tls12,
|
|
Packit Service |
4684c1 |
data, length);
|
|
Packit Service |
4684c1 |
if (unlikely(ret < 0))
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(ret);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
ret =
|
|
Packit Service |
4684c1 |
_gnutls_auth_cipher_tag(¶ms->read.ctx.tls12, tag,
|
|
Packit Service |
4684c1 |
tag_size);
|
|
Packit Service |
4684c1 |
if (unlikely(ret < 0))
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(ret);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
if (unlikely
|
|
Packit Service |
4684c1 |
(gnutls_memcmp(tag, tag_ptr, tag_size) != 0 || pad_failed != 0)) {
|
|
Packit Service |
4684c1 |
/* HMAC was not the same. */
|
|
Packit Service |
4684c1 |
dummy_wait(params, data, data_size,
|
|
Packit Service |
4684c1 |
length + preamble_size,
|
|
Packit Service |
4684c1 |
preamble_size + data_size - tag_size - 1);
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return gnutls_assert_val(GNUTLS_E_DECRYPTION_FAILED);
|
|
Packit Service |
4684c1 |
}
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
return length;
|
|
Packit Service |
4684c1 |
}
|